As a system administrator, Linux security technician or system auditor, your responsibility can involve any combination of these: software patch management, malware scanning, file integrity checks, security audit, configuration error checking, etc. If there is an automatic vulnerability scanning tool, it can save you a lot of time checking up on common security issues.

One such vulnerability scanner on Linux is lynis. This tool is actually supported on multiple platforms including CentOS, Debian, Fedora, FreeBSD, Mac OS and Ubuntu.

To install lynis on Linux, open a terminal and run the following commands:

[20:19:41] Suggestion: Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc [test:AUTH-9262][20:19:41] Suggestion: When possible set expire dates for all password protected accounts [test:AUTH-9282][20:19:41] Suggestion: Configure password aging limits to enforce password changing on a regular base [test:AUTH-9286][20:19:41] Suggestion: Default umask in /etc/profile could be more strict like 027 [test:AUTH-9328][20:19:42] Suggestion: Default umask in /etc/login.defs could be more strict like 027 [test:AUTH-9328][20:19:42] Suggestion: Default umask in /etc/init.d/rc could be more strict like 027 [test:AUTH-9328][20:19:42] Suggestion: To decrease the impact of a full /tmp file system, place /tmp on a separated partition [test:FILE-6310][20:19:42] Suggestion: Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [test:STRG-1840][20:19:42] Suggestion: Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft [test:STRG-1846][20:20:03] Suggestion: Install package apt-show-versions for patch management purposes [test:PKGS-7394]

How to scan your system for vulnerabilities on a daily basis

To get the most out of lynis, it’s recommended to run it on a regular basis, for example, as a daily cronjob. When run with “--cronjob” option, lynis runs in automatic, non-interactive scan mode.

The following is a daily cronjob script that runs lynis in automatic mode to audit your system, and archives daily scan reports.